Shane W schrieb:
> Hey all,
Hey Shane,
> I just finished setting up DKIM on some of our domains
> which signs an email when it goes out. However, one thing
> I'm not sure about is when scanning in the exim ACLs using
> SA Exim, it's adding various x-spam headers but it's
> dropping them at the bottom of the message after the DKIM
> signature header which unless I am off base would render
> the signature invalid.
DKIM does not sign all headers of a message, therefore you are off base
(and safe). The headers signed by DKIM are specified in the
DKIM-signature, only "From" is mandatory, other headers are optional.
Now, if a message contains SA-headers and and they are signed by DKIM
and someone on the road adds additional SA-headers or modifies the
existing ones, the sender would probably run into problems.
So, limit your signatures reasonably.
For reference:
http://wiki.exim.org/DKIM, dkim_sign_headers
http://www.ietf.org/rfc/rfc4871.txt, Section 5.4
--
CU,
Patrick.